THE SENATE S.R. NO. 26 THIRTY-THIRD LEGISLATURE, 2025 STATE OF HAWAII SENATE RESOLUTION strongly supporting and recommending the implementation of the revised 2025 hawaii patient bill of rights.
THE SENATE S.R. NO. 26
THIRTY-THIRD LEGISLATURE, 2025
STATE OF HAWAII
THE SENATE
S.R. NO.
26
THIRTY-THIRD LEGISLATURE, 2025
STATE OF HAWAII
SENATE RESOLUTION
strongly supporting and recommending the implementation of the revised 2025 hawaii patient bill of rights.
WHEREAS, Hawaii pioneered employer-supported health insurance through the Prepaid Health Care Act of 1974; however, the State continues to face severe physician, nurse, and dentist shortages, with over thirty-five percent of the population residing in federally designated Health Professional Shortage Areas--the highest percentage in the nation; and WHEREAS, the University of Hawaii Health Research Center found that forty-two percent of surveyed physicians reported patient harm or serious adverse events attributable to prior authorization delays or denials, emphasizing a need for streamlined insurance processes; and WHEREAS, recent increases in claims denials, particularly those driven by automated or artificial intelligence (AI)-based systems, underscore the necessity for greater transparency, specialist review, and patient-friendly appeals mechanisms; and WHEREAS, the original Hawaii Patient Bill of Rights, enacted over twenty-five years ago, now requires substantial updates to address modern challenges, such as AI-driven denials, telehealth accessibility, data-offshoring risks, and persistent network inadequacies on the neighbor islands and in rural areas; and WHEREAS, patients, health care providers, and cybersecurity experts cite the need for robust data protection measures that accommodate legitimate offshoring services while maintaining Health Insurance Portability and Accountability Act-equivalent safeguards, timely breach notifications, and strong enforcement; and WHEREAS, the Insurance Commissioner's office needs expanded authority, resources, and reporting mechanisms to effectively audit, investigate, and sanction noncompliant insurers or billing entities, ensuring consistent and accountable enforcement of patients' rights; and WHEREAS, the Revised 2025 Hawaii Patient Bill of Rights is an essential modernization step that prioritizes patient autonomy, transparent healthcare, timely access, robust data protection, AI accountability, and real enforcement--all while recognizing the practical realities of insurers, providers, and patients in a rapidly evolving healthcare landscape; now, therefore, BE IT RESOLVED by the Senate of the Thirty-third Legislature of the State of Hawaii, Regular Session of 2025, that this body strongly supports and recommends the implementation of the following Revised 2025 Hawaii Patient Bill of Rights: Foreword and Definitions 1. Purpose: This Bill of Rights modernizes patient protections to address AI-based coverage decisions, data security risks, and ongoing provider shortages in Hawaii. 2. Definitions: o AI or Automated Decision System: Any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision. o HIPAA-equivalent Security: A standard of data protection meeting or exceeding requirements set forth in 45 C.F.R. Parts 160 and 164 (HIPAA Privacy and Security Rules). o Urgent vs. Non-Urgent: Urgent requests are those where delays could seriously jeopardize a patient's health, life, or overall well-being; non-urgent requests include all other prior authorizations not qualifying as urgent. 1. Clear Information Patients must receive clear, written (and, if necessary, translated) explanations from their health insurance plan regarding covered and non-covered services, presented at a reading level understandable to the average enrollee. 2. Provider Directory All insurers must maintain and publicly post an up-to-date, accurate, and easily accessible directory of in-network providers, updated at least quarterly, listing each provider's specialty, languages spoken, telehealth availability, and current patient capacity. 3. Specialist Referrals All patients must be able to obtain timely specialist referrals without undue administrative barriers or delays. Insurers shall clearly communicate referral steps and expedite such referrals in urgent or complex cases. 4. Emergency Care No insurer may deny coverage for legitimate emergency services based on retrospective review. If a patient believes in good faith that their life or health is endangered, they have the right to seek immediate emergency care without facing post-service coverage denials. 5. Explanation of Illness, Options, and Patient Autonomy 5.1 Right to Understand Care: Patients are entitled to a clear explanation of their diagnosis, treatment options (including the option to decline treatment), and potential outcomes or risks from their healthcare provider, ensuring fully informed consent. 5.2 Right to Accept or Decline Treatment: Every mentally competent patient (or as decided by their legal health care proxy) has the right to accept, receive, reject, or discontinue any legal medical care, treatment, or prescribed medication from any legally licensed medical provider, and the right to not have that decision denied, prevented, restricted, or impeded by other persons. 6. Appeals and External Review 6.1 Notice and Forms: Whenever coverage is denied, insurers must provide a universal external review request form and a step-by-step guide (in print or digital form) explaining how to appeal. 6.2 Online FAQ and Hotline: Insurers shall maintain an online FAQ regarding appeals, alongside a toll-free hotline to assist patients. 6.3 Enforcement: The Insurance Commissioner may impose financial penalties or other administrative measures on insurers failing to publicize or comply with state and federal appeals requirements. 7. Network Adequacy, Telehealth, and Rural Access 7.1 Coverage in Shortage Areas: Patients in federally designated Health Professional Shortage Areas must have timely access to primary and specialty care. 7.2 Reporting Requirements: Insurers shall submit quarterly reports detailing provider-to-patient ratios, average wait times, and referral outcomesdisaggregated by region or island. 7.3 Telehealth Provisions: Telehealth services, if legally permissible within a provider's scope of practice, shall be covered at parity with in-person services to mitigate access barriers. 7.4. Prohibition of Burdensome Prior Authorization: Prior authorization procedures in shortage areas must not unduly limit provider productivity or delay critical patient care. 8. Transparent and Timely Prior Authorization 8.1 Turnaround Times: o Urgent Requests: One business day for a decision. o Non-Urgent Requests: Three business days for a decision. 8.2 AI Oversight: o If AI or an automated decision system initiates a denial, that denial must be reviewed and co-signed by a board-certified specialist in the relevant field before being finalized. o Patients and providers shall be notified in writing when AI is used at any stage of the coverage determination. 8.3 Data Tracking: Insurers must compile and submit monthly data on prior authorization approval/denial rates, average processing times, and the percentage of AI-based denials overturned on appeal. 9. Data Protection and Privacy 9.1 HIPAA-equivalent Safeguards: All accredited health plans or billing entities, whether located onshore or offshore, must uphold HIPAA-level security measures when storing or transmitting personally identifiable patient data (including Social Security numbers, medical ID numbers, etc.). 9.2 Offshoring Accountability: o Prior to offshoring data, an entity must file an attestation with the Insurance Commissioner confirming that any overseas subcontractors adhere to encryption, breach notification, audit logging, and confidentiality protocols. o Entities shall undergo random audits or produce security certifications upon request. 9.3 Breach Notification and Penalties: In the event of a suspected or actual data breach, the entity must notify affected patients and the Insurance Commissioner within 72 hours, implementing a corrective action plan. Repeated or willful violations may result in fines, revocation of accreditation, or other sanctions. 10. Enforcement and Oversight 10.1 Authority of the Insurance Commissioner: o Empowered to audit, investigate, and enforce all provisions of this Bill of Rights. o May impose fines, clawbacks, revocation of accreditation, and other appropriate remedies for noncompliance. 10.2 Annual Public Report: o The Insurance Commissioner shall publish an annual report detailing enforcement actions, complaint data, AI usage rates, denial statistics, and any data breaches or security infractions. o The report shall include trend analyses (e.g., median time-to-decision for prior authorizations, telehealth adoption rates, network adequacy improvements). 10.3 Multidisciplinary Advisory Group: o Composed of physicians, cybersecurity experts, patient advocates, telehealth specialists, and others. o Convenes periodically to review compliance, recommend updates, and study emerging issues (e.g., advanced AI, new data-security threats). 11. Anti-Retaliation and Support for Providers 11.1 Anti-Retaliation: Insurers, health plans, or affiliated entities shall not retaliate against providers (e.g., network exclusion or contract termination) for filing formal complaints, submitting testimony, or participating in external reviews concerning the insurer's compliance with this Bill of Rights. 11.2 Technical Assistance: The Insurance Commissioner, in collaboration with the Department of Health, shall explore or establish technical support programs to help smaller or rural practices adopt secure data systems, comply with prior authorization reporting, and integrate telehealth services effectively. 12. Phased Implementation 12.1 Immediate Effect: Provisions related to patient communications (Items 1 to 6), emergency care, and urgent prior authorizations (Item 8.1) shall take effect immediately upon enactment. 12.2 Data Offshoring and AI Protocols: Insurers may have six to twelve months from the date of enactment to fully implement or certify AI oversight processes and offshore data security compliance (excluding Social Security numbers and medical ID numbers, which must be protected immediately). 12.3 Follow-up Review: Within one year of implementation, the Insurance Commissioner shall submit a progress report to the Legislature with recommendations for any further legislative refinements.; and BE IT FURTHER RESOLVED that all insurers, health care providers, and billing entities are strongly encouraged to begin voluntary compliance with these updated patient protections prior to any mandatory deadlines in order to foster a collaborative and smooth transition; and BE IT FURTHER RESOLVED that ongoing stakeholder input will be sought to address outstanding issues, such as payment parity, facility fees, and self-insured plan coverage, which may require additional state or federal action; and BE IT FURTHER RESOLVED that certified copies of this Resolution be transmitted to the Governor, Director of Health, Director of Commerce and Consumer Affairs, and Insurance Commissioner. OFFERED BY: _____________________________
WHEREAS, Hawaii pioneered employer-supported health insurance through the Prepaid Health Care Act of 1974; however, the State continues to face severe physician, nurse, and dentist shortages, with over thirty-five percent of the population residing in federally designated Health Professional Shortage Areas--the highest percentage in the nation; and
WHEREAS, the University of Hawaii Health Research Center found that forty-two percent of surveyed physicians reported patient harm or serious adverse events attributable to prior authorization delays or denials, emphasizing a need for streamlined insurance processes; and
WHEREAS, recent increases in claims denials, particularly those driven by automated or artificial intelligence (AI)-based systems, underscore the necessity for greater transparency, specialist review, and patient-friendly appeals mechanisms; and
WHEREAS, the original Hawaii Patient Bill of Rights, enacted over twenty-five years ago, now requires substantial updates to address modern challenges, such as AI-driven denials, telehealth accessibility, data-offshoring risks, and persistent network inadequacies on the neighbor islands and in rural areas; and
WHEREAS, patients, health care providers, and cybersecurity experts cite the need for robust data protection measures that accommodate legitimate offshoring services while maintaining Health Insurance Portability and Accountability Act-equivalent safeguards, timely breach notifications, and strong enforcement; and
WHEREAS, the Insurance Commissioner's office needs expanded authority, resources, and reporting mechanisms to effectively audit, investigate, and sanction noncompliant insurers or billing entities, ensuring consistent and accountable enforcement of patients' rights; and
WHEREAS, the Revised 2025 Hawaii Patient Bill of Rights is an essential modernization step that prioritizes patient autonomy, transparent healthcare, timely access, robust data protection, AI accountability, and real enforcement--all while recognizing the practical realities of insurers, providers, and patients in a rapidly evolving healthcare landscape; now, therefore,
BE IT RESOLVED by the Senate of the Thirty-third Legislature of the State of Hawaii, Regular Session of 2025, that this body strongly supports and recommends the implementation of the following Revised 2025 Hawaii Patient Bill of Rights:
Foreword and Definitions
1. Purpose: This Bill of Rights modernizes patient protections to address AI-based coverage decisions, data security risks, and ongoing provider shortages in Hawaii.
2. Definitions:
o AI or Automated Decision System: Any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.
o HIPAA-equivalent Security: A standard of data protection meeting or exceeding requirements set forth in 45 C.F.R. Parts 160 and 164 (HIPAA Privacy and Security Rules).
o Urgent vs. Non-Urgent: Urgent requests are those where delays could seriously jeopardize a patient's health, life, or overall well-being; non-urgent requests include all other prior authorizations not qualifying as urgent.
1. Clear Information
Patients must receive clear, written (and, if necessary, translated) explanations from their health insurance plan regarding covered and non-covered services, presented at a reading level understandable to the average enrollee.
2. Provider Directory
All insurers must maintain and publicly post an up-to-date, accurate, and easily accessible directory of in-network providers, updated at least quarterly, listing each provider's specialty, languages spoken, telehealth availability, and current patient capacity.
3. Specialist Referrals
All patients must be able to obtain timely specialist referrals without undue administrative barriers or delays. Insurers shall clearly communicate referral steps and expedite such referrals in urgent or complex cases.
4. Emergency Care
No insurer may deny coverage for legitimate emergency services based on retrospective review. If a patient believes in good faith that their life or health is endangered, they have the right to seek immediate emergency care without facing post-service coverage denials.
5. Explanation of Illness, Options, and Patient Autonomy
5.1 Right to Understand Care: Patients are entitled to a clear explanation of their diagnosis, treatment options (including the option to decline treatment), and potential outcomes or risks from their healthcare provider, ensuring fully informed consent.
5.2 Right to Accept or Decline Treatment: Every mentally competent patient (or as decided by their legal health care proxy) has the right to accept, receive, reject, or discontinue any legal medical care, treatment, or prescribed medication from any legally licensed medical provider, and the right to not have that decision denied, prevented, restricted, or impeded by other persons.
6. Appeals and External Review
6.1 Notice and Forms: Whenever coverage is denied, insurers must provide a universal external review request form and a step-by-step guide (in print or digital form) explaining how to appeal.
6.2 Online FAQ and Hotline: Insurers shall maintain an online FAQ regarding appeals, alongside a toll-free hotline to assist patients.
6.3 Enforcement: The Insurance Commissioner may impose financial penalties or other administrative measures on insurers failing to publicize or comply with state and federal appeals requirements.
7. Network Adequacy, Telehealth, and Rural Access
7.1 Coverage in Shortage Areas: Patients in federally designated Health Professional Shortage Areas must have timely access to primary and specialty care.
7.2 Reporting Requirements: Insurers shall submit quarterly reports detailing provider-to-patient ratios, average wait times, and referral outcomesdisaggregated by region or island.
7.3 Telehealth Provisions: Telehealth services, if legally permissible within a provider's scope of practice, shall be covered at parity with in-person services to mitigate access barriers.
7.4. Prohibition of Burdensome Prior Authorization: Prior authorization procedures in shortage areas must not unduly limit provider productivity or delay critical patient care.
8. Transparent and Timely Prior Authorization
8.1 Turnaround Times:
o Urgent Requests: One business day for a decision.
o Non-Urgent Requests: Three business days for a decision.
8.2 AI Oversight:
o If AI or an automated decision system initiates a denial, that denial must be reviewed and co-signed by a board-certified specialist in the relevant field before being finalized.
o Patients and providers shall be notified in writing when AI is used at any stage of the coverage determination.
8.3 Data Tracking: Insurers must compile and submit monthly data on prior authorization approval/denial rates, average processing times, and the percentage of AI-based denials overturned on appeal.
9. Data Protection and Privacy
9.1 HIPAA-equivalent Safeguards: All accredited health plans or billing entities, whether located onshore or offshore, must uphold HIPAA-level security measures when storing or transmitting personally identifiable patient data (including Social Security numbers, medical ID numbers, etc.).
9.2 Offshoring Accountability:
o Prior to offshoring data, an entity must file an attestation with the Insurance Commissioner confirming that any overseas subcontractors adhere to encryption, breach notification, audit logging, and confidentiality protocols.
o Entities shall undergo random audits or produce security certifications upon request.
9.3 Breach Notification and Penalties: In the event of a suspected or actual data breach, the entity must notify affected patients and the Insurance Commissioner within 72 hours, implementing a corrective action plan. Repeated or willful violations may result in fines, revocation of accreditation, or other sanctions.
10. Enforcement and Oversight
10.1 Authority of the Insurance Commissioner:
o Empowered to audit, investigate, and enforce all provisions of this Bill of Rights.
o May impose fines, clawbacks, revocation of accreditation, and other appropriate remedies for noncompliance.
10.2 Annual Public Report:
o The Insurance Commissioner shall publish an annual report detailing enforcement actions, complaint data, AI usage rates, denial statistics, and any data breaches or security infractions.
o The report shall include trend analyses (e.g., median time-to-decision for prior authorizations, telehealth adoption rates, network adequacy improvements).
10.3 Multidisciplinary Advisory Group:
o Composed of physicians, cybersecurity experts, patient advocates, telehealth specialists, and others.
o Convenes periodically to review compliance, recommend updates, and study emerging issues (e.g., advanced AI, new data-security threats).
11. Anti-Retaliation and Support for Providers
11.1 Anti-Retaliation: Insurers, health plans, or affiliated entities shall not retaliate against providers (e.g., network exclusion or contract termination) for filing formal complaints, submitting testimony, or participating in external reviews concerning the insurer's compliance with this Bill of Rights.
11.2 Technical Assistance: The Insurance Commissioner, in collaboration with the Department of Health, shall explore or establish technical support programs to help smaller or rural practices adopt secure data systems, comply with prior authorization reporting, and integrate telehealth services effectively.
12. Phased Implementation
12.1 Immediate Effect: Provisions related to patient communications (Items 1 to 6), emergency care, and urgent prior authorizations (Item 8.1) shall take effect immediately upon enactment.
12.2 Data Offshoring and AI Protocols: Insurers may have six to twelve months from the date of enactment to fully implement or certify AI oversight processes and offshore data security compliance (excluding Social Security numbers and medical ID numbers, which must be protected immediately).
12.3 Follow-up Review: Within one year of implementation, the Insurance Commissioner shall submit a progress report to the Legislature with recommendations for any further legislative refinements.; and
BE IT FURTHER RESOLVED that all insurers, health care providers, and billing entities are strongly encouraged to begin voluntary compliance with these updated patient protections prior to any mandatory deadlines in order to foster a collaborative and smooth transition; and
BE IT FURTHER RESOLVED that ongoing stakeholder input will be sought to address outstanding issues, such as payment parity, facility fees, and self-insured plan coverage, which may require additional state or federal action; and
BE IT FURTHER RESOLVED that certified copies of this Resolution be transmitted to the Governor, Director of Health, Director of Commerce and Consumer Affairs, and Insurance Commissioner.
OFFERED BY: _____________________________
OFFERED BY:
_____________________________
Report Title: Revised 2025 Hawaii Patient Bill of Rights
Report Title:
Revised 2025 Hawaii Patient Bill of Rights